1ARPTABLES(8) System Manager's Manual ARPTABLES(8)
2
3
4
6 arptables - ARP table administration (legacy)
7
9 arptables [-t table] -[AD] chain rule-specification [options]
10 arptables [-t table] -[RI] chain rulenum rule-specification [options]
11 arptables [-t table] -D chain rulenum [options]
12 arptables [-t table] -[LFZ] [chain] [options]
13 arptables [-t table] -[NX] chain
14 arptables [-t table] -E old-chain-name new-chain-name
15 arptables [-t table] -P chain target [options]
16
17
19 This tool uses the old xtables/setsockopt framework, and is a legacy
20 version of arptables. That means that a new, more modern tool exists
21 with the same functionality using the nf_tables framework and you are
22 encouraged to migrate now. The new binaries (formerly known as -com‐
23 pat) uses the same syntax and semantics than this legacy one.
24
25 You can still use this legacy tool. You should probably get some spe‐
26 cific information from your Linux distribution or vendor. More docs
27 are available at https://wiki.nftables.org
28
29
31 arptables is a user space tool, it is used to set up and maintain the
32 tables of ARP rules in the Linux kernel. These rules inspect the ARP
33 frames which they see. arptables is analogous to the iptables user
34 space tool, but arptables is less complicated.
35
36
37 CHAINS
38 The kernel table is used to divide functionality into different sets of
39 rules. Each set of rules is called a chain. Each chain is an ordered
40 list of rules that can match ARP frames. If a rule matches an ARP
41 frame, then a processing specification tells what to do with that
42 matching frame. The processing specification is called a 'target'. How‐
43 ever, if the frame does not match the current rule in the chain, then
44 the next rule in the chain is examined and so forth. The user can cre‐
45 ate new (user-defined) chains which can be used as the 'target' of a
46 rule.
47
48
49 TARGETS
50 A firewall rule specifies criteria for an ARP frame and a frame pro‐
51 cessing specification called a target. When a frame matches a rule,
52 then the next action performed by the kernel is specified by the tar‐
53 get. The target can be one of these values: ACCEPT, DROP, CONTINUE,
54 RETURN, an 'extension' (see below) or a user-defined chain.
55
56 ACCEPT means to let the frame through. DROP means the frame has to be
57 dropped. CONTINUE means the next rule has to be checked. This can be
58 handy to know how many frames pass a certain point in the chain or to
59 log those frames. RETURN means stop traversing this chain and resume
60 at the next rule in the previous (calling) chain. For the extension
61 targets please see the TARGET EXTENSIONS section of this man page.
62
63 TABLES
64 There is only one ARP table in the Linux kernel. The table is filter.
65 You can drop the '-t filter' argument to the arptables command. The -t
66 argument must be the first argument on the arptables command line, if
67 used.
68
69 -t, --table
70 filter, is the only table and contains two (Linux kernels 2.4.X)
71 or three (Linux kernels 2.6.0 and later) built-in chains: INPUT
72 (for frames destined for the host), OUTPUT (for locally-gener‐
73 ated frames) and FORWARD (for frames being forwarded by the
74 bridge code). The FORWARD chain doesn't exist in Linux 2.4.X
75 kernels.
76
78 After the initial arptables command line argument, the remaining argu‐
79 ments can be divided into several different groups. These groups are
80 commands, miscellaneous commands, rule-specifications, match-exten‐
81 sions, and watcher-extensions.
82
83 COMMANDS
84 The arptables command arguments specify the actions to perform on the
85 table defined with the -t argument. If you do not use the -t argument
86 to name a table, the commands apply to the default filter table. With
87 the exception of the -Z command, only one command may be used on the
88 command line at a time.
89
90 -A, --append
91 Append a rule to the end of the selected chain.
92
93 -D, --delete
94 Delete the specified rule from the selected chain. There are two
95 ways to use this command. The first is by specifying an interval
96 of rule numbers to delete, syntax: start_nr[:end_nr]. Using neg‐
97 ative numbers is allowed, for more details about using negative
98 numbers, see the -I command. The second usage is by specifying
99 the complete rule as it would have been specified when it was
100 added.
101
102 -I, --insert
103 Insert the specified rule into the selected chain at the speci‐
104 fied rule number. If the current number of rules equals N, then
105 the specified number can be between -N and N+1. For a positive
106 number i, it holds that i and i-N-1 specify the same place in
107 the chain where the rule should be inserted. The number 0 speci‐
108 fies the place past the last rule in the chain and using this
109 number is therefore equivalent with using the -A command.
110
111 -R, --replace
112 Replaces the specified rule into the selected chain at the spec‐
113 ified rule number. If the current number of rules equals N,
114 then the specified number can be between 1 and N. i specifies
115 the place in the chain where the rule should be replaced.
116
117 -P, --policy
118 Set the policy for the chain to the given target. The policy can
119 be ACCEPT, DROP or RETURN.
120
121 -F, --flush
122 Flush the selected chain. If no chain is selected, then every
123 chain will be flushed. Flushing the chain does not change the
124 policy of the chain, however.
125
126 -Z, --zero
127 Set the counters of the selected chain to zero. If no chain is
128 selected, all the counters are set to zero. The -Z command can
129 be used in conjunction with the -L command. When both the -Z
130 and -L commands are used together in this way, the rule counters
131 are printed on the screen before they are set to zero.
132
133 -L, --list
134 List all rules in the selected chain. If no chain is selected,
135 all chains are listed.
136
137 -N, --new-chain
138 Create a new user-defined chain with the given name. The number
139 of user-defined chains is unlimited. A user-defined chain name
140 has maximum length of 31 characters.
141
142 -X, --delete-chain
143 Delete the specified user-defined chain. There must be no
144 remaining references to the specified chain, otherwise arptables
145 will refuse to delete it. If no chain is specified, all user-
146 defined chains that aren't referenced will be removed.
147
148 -E, --rename-chain
149 Rename the specified chain to a new name. Besides renaming a
150 user-defined chain, you may rename a standard chain name to a
151 name that suits your taste. For example, if you like PREBRIDGING
152 more than PREROUTING, then you can use the -E command to rename
153 the PREROUTING chain. If you do rename one of the standard arpt‐
154 ables chain names, please be sure to mention this fact should
155 you post a question on the arptables mailing lists. It would be
156 wise to use the standard name in your post. Renaming a standard
157 arptables chain in this fashion has no effect on the structure
158 or function of the arptables kernel table.
159
160
161 MISCELLANOUS COMMANDS
162 -V, --version
163 Show the version of the arptables userspace program.
164
165 -h, --help
166 Give a brief description of the command syntax.
167
168 -j, --jump target
169 The target of the rule. This is one of the following values:
170 ACCEPT, DROP, CONTINUE, RETURN, a target extension (see TARGET
171 EXTENSIONS) or a user-defined chain name.
172
173 -c, --set-counters PKTS BYTES
174 This enables the administrator to initialize the packet and byte
175 counters of a rule (during INSERT, APPEND, REPLACE operations).
176
177
178 RULE-SPECIFICATIONS
179 The following command line arguments make up a rule specification (as
180 used in the add and delete commands). A "!" option before the specifi‐
181 cation inverts the test for that specification. Apart from these stan‐
182 dard rule specifications there are some other command line arguments of
183 interest.
184
185 -s, --source-ip [!] address[/mask]
186 The Source IP specification.
187
188 -d, --destination-ip [!] address[/mask]
189 The Destination IP specification.
190
191 --source-mac [!] address[/mask]
192 The source mac address. Both mask and address are written as 6
193 hexadecimal numbers separated by colons.
194
195 --destination-mac [!] address[/mask]
196 The destination mac address. Both mask and address are written
197 as 6 hexadecimal numbers separated by colons.
198
199 -i, --in-interface [!] name
200 The interface via which a frame is received (for the INPUT and
201 FORWARD chains). The flag --in-if is an alias for this option.
202
203 -o, --out-interface [!] name
204 The interface via which a frame is going to be sent (for the
205 OUTPUT and FORWARD chains). The flag --out-if is an alias for
206 this option.
207
208 -l, --h-length length[/mask]
209 The hardware length (nr of bytes)
210
211 --opcode code[/mask]
212 The operation code (2 bytes). Available values are: 1=Request
213 2=Reply 3=Request_Reverse 4=Reply_Reverse 5=DRARP_Request
214 6=DRARP_Reply 7=DRARP_Error 8=InARP_Request 9=ARP_NAK.
215
216 --h-type type[/mask]
217 The hardware type (2 bytes, hexadecimal). Available values are:
218 1=Ethernet.
219
220 --proto-type type[/mask]
221 The protocol type (2 bytes). Available values are: 0x800=IPv4.
222
223
224 TARGET-EXTENSIONS
225 arptables extensions are precompiled into the userspace tool. So there
226 is no need to explicitly load them with a -m option like in iptables.
227 However, these extensions deal with functionality supported by supple‐
228 mental kernel modules.
229
230 mangle
231 --mangle-ip-s IP address
232 Mangles Source IP Address to given value.
233
234 --mangle-ip-d IP address
235 Mangles Destination IP Address to given value.
236
237 --mangle-mac-s MAC address
238 Mangles Source MAC Address to given value.
239
240 --mangle-mac-d MAC address
241 Mangles Destination MAC Address to given value.
242
243 --mangle-target target
244 Target of ARP mangle operation (DROP, CONTINUE or ACCEPT --
245 default is ACCEPT).
246
247 CLASSIFY
248 This module allows you to set the skb->priority value (and thus clas-
249 sify the packet into a specific CBQ class).
250
251
252 --set-class major:minor
253
254 Set the major and minor class value. The values are always
255 interpreted as hexadecimal even if no 0x prefix is given.
256
257
258 MARK
259 This module allows you to set the skb->mark value (and thus classify
260 the packet by the mark in u32)
261
262
263 --set-mark mark
264 Set the mark value. The values are always interpreted as
265 hexadecimal even if no 0x prefix is given
266
267
268 --and-mark mark
269 Binary AND the mark with bits.
270
271
272 --or-mark mark
273 Binary OR the mark with bits.
274
275
277 See http://netfilter.org/mailinglists.html
278
280 iptables(8), ebtables(8), arp(8), rarp(8), ifconfig(8), route(8)
281
282 See http://ebtables.sf.net
283
284
285
286 June 2018 ARPTABLES(8)